Blogs

Events

Stories

Attention: RHN Hosted will reach the end of its service life on July 31, 2017.
Customers will be required to migrate existing systems to Red Hat Subscription Management prior to this date.
Learn more here

Details

An update for the Apache HTTP Server component for JBoss Enterprise WebServer 1.0.2 that fixes multiple security issues and one bug is nowavailable from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

The Apache HTTP Server ("httpd") is the namesake project of The ApacheSoftware Foundation.

It was discovered that the Apache HTTP Server did not properly validate therequest URI for proxied requests. In certain configurations, if a reverseproxy used the ProxyPassMatch directive, or if it used the RewriteRuledirective with the proxy flag, a remote attacker could make the proxyconnect to an arbitrary server, possibly disclosing sensitive informationfrom internal web servers not directly accessible to the attacker.(CVE-2011-3368)

It was discovered that mod_proxy_ajp incorrectly returned an "InternalServer Error" response when processing certain malformed HTTP requests,which caused the back-end server to be marked as failed in configurationswhere mod_proxy was used in load balancer mode. A remote attacker couldcause mod_proxy to not send requests to back-end AJP (Apache JServProtocol) servers for the retry timeout period or until all back-endservers were marked as failed. (CVE-2011-3348)

The httpd server included the full HTTP header line in the default errorpage generated when receiving an excessively long or malformed header.Malicious JavaScript running in the server's domain context could use thisflaw to gain access to httpOnly cookies. (CVE-2012-0053)

An integer overflow flaw, leading to a heap-based buffer overflow, wasfound in the way httpd performed substitutions in regular expressions. Anattacker able to set certain httpd settings, such as a user permitted tooverride the httpd configuration for a specific directory using a".htaccess" file, could use this flaw to crash the httpd child process or,possibly, execute arbitrary code with the privileges of the "apache" user.(CVE-2011-3607)

A NULL pointer dereference flaw was found in the httpd mod_log_configmodule. In configurations where cookie logging is enabled, a remoteattacker could use this flaw to crash the httpd child process via an HTTPrequest with a malformed Cookie header. (CVE-2012-0021)

A flaw was found in the way httpd handled child process status information.A malicious program running with httpd child process privileges (such as aPHP or CGI script) could use this flaw to cause the parent httpd process tocrash during httpd service shutdown. (CVE-2012-0031)

Red Hat would like to thank Context Information Security for reporting theCVE-2011-3368 issue.

This update also fixes the following bug:

* The fix for CVE-2011-3192 provided by the RHSA-2011:1330 updateintroduced a regression in the way httpd handled certain Range HTTP headervalues. This update corrects this regression. (BZ#749071)

All users of JBoss Enterprise Web Server 1.0.2 as provided from the Red HatCustomer Portal are advised to apply this update.

Solution

The References section of this erratum contains a download link (you mustlog in to download the update). Before applying the update, back up yourexisting JBoss Enterprise Web Server installation (including allapplications and configuration files).

The Apache HTTP Server must be restarted for this update to take effect.